8/31/2006

A Moebius tape of recursivity

Haven't posted articles in a while and I'm sorry about that.

After Google disabled my mail account my Blogger account was disabled too. Silly me, I didn't see that coming even knowing that Google and Blogger have unified accounts.

Anyway, everything's fine now. I have access to both my mail account and my Blogger account again. But in the meantime I was seting up another blog and re-editing all the articles because I though that my account was as good as gone. And that kept me busy all the time that I could have use to write.

I have a lot to write about.

Check scams are rising now and I'm going to get back to this issue in a future article. Meanwhile, don't take a job as a "payment officer", don't take a job over the web, don't trust a "company" just because it has a website, don't sell book (or any other thing) to schools or academies in India, Africa or anywhere if they were requested by mail. Believe it or not, the scammers are going to that extent to lure you into taking their "rubber" checks.

Phishing is high too. I've seen a lot of mail forms lately. These are the phishing messages where the form to post your data is inside them. No need to click a link and post on a web page, you can do it from the message itself. Which is more tempting and makes the actual phishing web page invisible. In fact the page is only a script that forwards the content of the form to the phiser's mail account. If you call it without the content of a form you get nothing. And that makes it very hard to report to network administrators, because there's nothing to see from the hyperlink.

One of the scripts is totally legal, meaning that it was created and it's used legally. But it's open to the general public when it was intended to serve the customers of a hosting service. The administrator was doing some complicated things redirecting the script to eBay if the referrer included a reference to them. But the result was that if you try to access the script manually by yourself, eBay showed up. Bad idea. Let's say that a person suspect that the message is not real. He tries the link manually and eBay shows up. Most likely he'll think that the message is good, fill the form and get his credit card cloned.

Some other administrators are doing things differently. I saw a phishing page this week that was replaced with a warning page explaining phishing, in case you are a potential victim, and trashing the phisher. I'll see if I can recover the link for you to see.

And I've just contacted another who is taking a strong stand against scammers. But this is for another article.

Today I'm writing about human stupidity and how technology makes things worse.

Lately I'm seeing that the number of scam messages from LatinMail is increasing. This happens often, a free mail server gets popular among them. Yahoo is still the number one, even when it's also the number one in closing their accounts.

The trick nowadays is to send the first message with spam servers with a disposable mail account and, once the contact with the mark has been established, move the operation to the Yahoo account.

Sending from a spam server makes the message impossible to report, no mail server would accept it just because the mail allegedly used belongs to them. They want a header showing that the message was generated from their servers.

This trick works as a crib, those who suspect the message can't report it and won't pursue matters, and those who answer won't report it.

But sometimes, they use a mail server that they know or they think is lenient in its abuse policy, like LatinMail in this case and another that is rising, adinet.com.uy.

I started reporting just to see if there was a response. I didn't get one but at least the abuse address didn't bounce, something that's pretty common.

Then, a couple messages bounced. That was odd. Most of the time the bounces are because the abuse address doesn't exist at all or its quota has been exceeded, meaning that nobody has checked the account in years. And on both cases the bounce is immediate and for every message.

This time only a couple of them bounced. So I took a closer look at the bounce message. And I found this:

< latinmail@latinred.net> : host mail.latinred.net[62.37.236.165] said: 451
Blocked - see http://www.spamcop.net/bl.shtml?62.37.236.187 (in reply to
RCPT TO command)


SpamCop is an organization working against spam, I guess the name is graphically enough. They take information from user reports and traps they set purposely. From that information, they keep a database of offending IP numbers. The addresses from whee spam messages are originated. The database is public and anyone can use it to check if the source of the message is reported. I'll get back to the details later.

Using this database, LatinMail detected that the IP address 62.37.236.165 has ben reported as source of spam several times. So, they blocked the message and buonced it.

Nice, isn't it? Well, not really. Because the IP 62.37.236.165 belongs to LatinMail. And it was reported several times, along with others also belonging to LatinMail, because is the source of a lot of spam. Including scam messages.

The second minor detail in this story is that the message that I sent wasn't generated or forwarded from that IP. The reference to that IP was in the header of the message I was reporting, which was inside the body of my message.

Somehow, their script is unable to understand where the real header ends. Somehow meaning someone did a lousy job, a header has a distinctive boundary.

But the bottom line is it's impossible to report abuse to LatinMail. If you take the IP number out, they won't see evidence that the message generated from them. If you let the I number, the message bounces.

And I'd applaud a system so efficient in dealing with reports. But this one wasn't meant to work like that. This is just the result of plain stupidity in charge of technology.

This is a real Dilbert system, something that Scott Adams talked about on "The way of the weasel". A system so incompetent that looks brilliant in terms of results from a corporative point of view. Their antispam software blocked thousands of messages, showing that's incredible efficient, and thousands of abuse reports never reached them, showing an incredible clean mail server.

And going back to SpamCop. The idea is good but I think it's a very complicated solution for a very simple problem. Eventually they'll fill the database with almost all the IP numbers that don't belong to a mail server and some that belong to a mail server. The database is going to be huge, probably it is now. And it doesn't take into account the human factor like this case of LatinMail. Someone using this database to filter its own mail.

You can read about my idea on a previous article. A system that's more simple, more efficient and based on information and protocols that ae available now. There's no need to invent new stuff.

The idea basically is that every server receiving mail (SMTP) must verify the IP of the sender through the domain name system to see if it's declared as a mail server. It has to receive only from other declared mail servers and terminate immediatly any other attempt. This way it saves storage space and bandwidth. The database to check is smaller, it's efficient and is in use right now. Eventually, the servers can make a second query to another database public or private to check if the sender, even being another mail server, should be banned for any reason.

And that's the problem with the world this days. Things are going so bad just because nobody's asking me...

2 comments:

Miss Trashahassee said...

Your blog provides a very good service. Keep up the good work!

"Jet" said...

Hey thanks for the comment! I thought I was being a royal bitch!

Nice diggs here with good things to say... Stop by again.

JTL